etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding new IAM service under services. There are two modules to this component: 

part a) plugin - This contains all adapter implementations and components necessary to interact with CloudStack.

part b) server - This contains IAM interfaces that are not aware of any CloudStack entities, they are pure IAM interface that can be implemented in varied ways.
The default implementation provided just works on DB and generic Dao layer.
But these interfaces can be implemented using connectors interacting with LDAP or AD.
This commit is contained in:
Prachi Damle 2013-12-26 15:16:12 -08:00
parent b7c3411be9
commit 2543fbe846
43 changed files with 4525 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
services/iam/plugin/pom.xml Normal file
View File

@ -0,0 +1,29 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloud-plugin-iam</artifactId>
<name>Apache CloudStack IAM - Plugin</name>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack-service-iam</artifactId>
<version>4.3.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
</project>

18
services/iam/plugin/resources/META-INF/cloudstack/acl-role-based-access-checkers/module.properties Normal file
View File

@ -0,0 +1,18 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
name=acl-role-based-access-checkers
parent=api

32
services/iam/plugin/resources/META-INF/cloudstack/acl-role-based-access-checkers/spring-acl-role-based-access-checkers-context.xml Normal file
View File

@ -0,0 +1,32 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd"
>
<bean id="RoleBasedEntityAccessChecker" class="org.apache.cloudstack.acl.entity.RoleBasedEntityAccessChecker" />
</beans>

66
services/iam/plugin/src/org/apache/cloudstack/acl/AclService.java Normal file
View File

@ -0,0 +1,66 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.List;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import com.cloud.user.Account;
public interface AclService {
/* ACL group related interfaces */
AclGroup createAclGroup(Account caller, String aclGroupName, String description);
boolean deleteAclGroup(Long aclGroupId);
List<AclGroup> listAclGroups(long accountId);
AclGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
AclGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
/* ACL Policy related interfaces */
AclPolicy createAclPolicy(Account caller, String aclPolicyName, String description, Long parentPolicyId);
boolean deleteAclPolicy(long aclPolicyId);
List<AclPolicy> listAclPolicies(long accountId);
AclGroup attachAclPoliciesToGroup(List<Long> roleIds, Long groupId);
AclGroup removeAclPoliciesFromGroup(List<Long> roleIds, Long groupId);
AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm);
AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action);
AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action);
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity);
/* Visibility related interfaces */
List<Long> getGrantedDomains(long accountId, String action);
List<Long> getGrantedAccounts(long accountId, String action);
List<Long> getGrantedResources(long accountId, String action);
}

736
services/iam/plugin/src/org/apache/cloudstack/acl/AclServiceImpl.java Normal file
View File

@ -0,0 +1,736 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.acl.dao.AclApiPermissionDao;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclGroupDao;
import org.apache.cloudstack.acl.dao.AclGroupPolicyMapDao;
import org.apache.cloudstack.acl.dao.AclPolicyDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.api.BaseListCmd;
import org.apache.cloudstack.context.CallContext;
import com.cloud.api.ApiServerService;
import com.cloud.domain.Domain;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
import com.cloud.template.VirtualMachineTemplate;
import com.cloud.user.Account;
import com.cloud.user.AccountManager;
import com.cloud.user.dao.AccountDao;
import com.cloud.uservm.UserVm;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.GenericSearchBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionCallbackNoReturn;
import com.cloud.utils.db.TransactionStatus;
@Local(value = {AclService.class})
public class AclServiceImpl extends ManagerBase implements AclService, Manager {
public static final Logger s_logger = Logger.getLogger(AclServiceImpl.class);
private String _name;
@Inject
AccountManager _accountMgr;
@Inject
AccountDao _accountDao;
@Inject
AclPolicyDao _aclPolicyDao;
@Inject
AclGroupDao _aclGroupDao;
@Inject
EntityManager _entityMgr;
@Inject
AclGroupPolicyMapDao _aclGroupPolicyMapDao;
@Inject
AclGroupAccountMapDao _aclGroupAccountMapDao;
// @Inject
// AclApiPermissionDao _apiPermissionDao;
@Inject
AclPolicyPermissionDao _policyPermissionDao;
@Inject
ApiServerService _apiServer;
public static HashMap<String, Class> entityClassMap = new HashMap<String, Class>();
static {
entityClassMap.put("VirtualMachine", UserVm.class);
entityClassMap.put("Volume", Volume.class);
entityClassMap.put("Template", VirtualMachineTemplate.class);
entityClassMap.put("Snapshot", Snapshot.class);
// To be filled in later depending on the entity permission grant scope
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
public AclGroup createAclGroup(Account caller, String aclGroupName, String description) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl group in domain " + domainId + ", permission denied");
}
}
// check if the role is already existing
AclGroup grp = _aclGroupDao.findByName(domainId, aclGroupName);
if (grp != null) {
throw new InvalidParameterValueException(
"Unable to create acl group with name " + aclGroupName
+ " already exisits for domain " + domainId);
}
AclGroupVO rvo = new AclGroupVO(aclGroupName, description);
rvo.setAccountId(caller.getAccountId());
rvo.setDomainId(domainId);
return _aclGroupDao.persist(rvo);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group")
public boolean deleteAclGroup(final Long aclGroupId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
final AclGroup grp = _aclGroupDao.findById(aclGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to delete acl group.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, grp);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this group related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this group related entry in acl_group_account table
List<AclGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (AclGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
}
}
// remove this group from acl_group table
_aclGroupDao.remove(aclGroupId);
}
});
return true;
}
@Override
public List<AclGroup> listAclGroups(long accountId) {
GenericSearchBuilder<AclGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
return new ArrayList<AclGroup>(groups);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
public AclGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add accounts to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
Account account = _accountDao.findById(acctId);
if (account == null) {
throw new InvalidParameterValueException("Unable to find account: " + acctId
+ "; failed to add account to acl group.");
}
_accountMgr.checkAccess(caller, null, true, account);
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap == null) {
// not there already
grMap = new AclGroupAccountMapVO(groupId, acctId);
_aclGroupAccountMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")
public AclGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove accounts from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
Account account = _accountDao.findById(acctId);
if (account == null) {
throw new InvalidParameterValueException("Unable to find account: " + acctId
+ "; failed to add account to acl group.");
}
_accountMgr.checkAccess(caller, null, true, account);
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap != null) {
// not removed yet
_aclGroupAccountMapDao.remove(grMap.getId());
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true)
public AclPolicy createAclPolicy(Account caller, final String aclPolicyName, final String description, final Long parentPolicyId) {
Long domainId = caller.getDomainId();
if (!_accountMgr.isRootAdmin(caller.getAccountId())) {
// domain admin can only create role for his domain
if (caller.getDomainId() != domainId.longValue()) {
throw new PermissionDeniedException("Can't create acl role in domain " + domainId + ", permission denied");
}
}
// check if the role is already existing
AclPolicy ro = _aclPolicyDao.findByName(domainId, aclPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl policy with name " + aclPolicyName
+ " already exisits for domain " + domainId);
}
final long account_id = caller.getAccountId();
final long domain_id = domainId;
AclPolicy role = Transaction.execute(new TransactionCallback<AclPolicy>() {
@Override
public AclPolicy doInTransaction(TransactionStatus status) {
AclPolicyVO rvo = new AclPolicyVO(aclPolicyName, description);
rvo.setAccountId(account_id);
rvo.setDomainId(domain_id);
AclPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<AclPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (AclPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy")
public boolean deleteAclPolicy(final long aclPolicyId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
final AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to delete acl policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this role related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this policy related entry in acl_policy_permission table
List<AclPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (AclPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this role from acl_role table
_aclPolicyDao.remove(aclPolicyId);
}
});
return true;
}
@Override
public List<AclPolicy> listAclPolicies(long accountId) {
// static policies of the account
SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<AclGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
JoinType.INNER);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
SearchBuilder<AclPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyVO> policies = _aclPolicyDao.customSearch(sc, null);
return new ArrayList<AclPolicy>(policies);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
public AclGroup attachAclPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap == null) {
// not there already
grMap = new AclGroupPolicyMapVO(groupId, policyId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
public AclGroup removeAclPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
// check group permissions
_accountMgr.checkAccess(caller, null, true, group);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
// check policy permissions
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
_accountMgr.checkAccess(caller, null, true, policy);
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
return group;
}
/*
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting permission to Acl Role")
public AclP addAclPermissionToAclPolicy(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to grant permission to role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm == null) {
// not there already
perm = new AclApiPermissionVO(aclRoleId, api);
_apiPermissionDao.persist(perm);
}
}
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking permission from Acl Role")
public AclRole revokeApiPermissionFromAclRole(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to revoke permission from role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm != null) {
// not removed yet
_apiPermissionDao.remove(perm.getId());
}
}
}
});
return role;
}
*/
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy")
public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action, Permission perm) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to add permission to policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission granting is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// add entry in acl_policy_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, perm);
if (permit == null) {
// not there already
Class<?> cmdClass = _apiServer.getCmdClass(action);
AccessType accessType = null;
if (BaseListCmd.class.isAssignableFrom(cmdClass)) {
accessType = AccessType.ListEntry;
}
permit = new AclPolicyPermissionVO(aclPolicyId, action, entityType, accessType,
scope, scopeId, perm);
_policyPermissionDao.persist(permit);
}
return policy;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy")
public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, PermissionScope scope, Long scopeId, String action) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to revoke permission from policy.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, policy);
// get the entity and check permission
Class entityClass = entityClassMap.get(entityType);
if (entityClass == null) {
throw new InvalidParameterValueException("Entity type " + entityType + " permission revoke is not supported yet");
}
if (scope == PermissionScope.RESOURCE && scopeId != null) {
ControlledEntity entity = (ControlledEntity)_entityMgr.findById(entityClass, scopeId);
if (entity == null) {
throw new InvalidParameterValueException("Unable to find entity " + entityType + " by id: " + scopeId);
}
_accountMgr.checkAccess(caller, null, true, entity);
}
// remove entry from acl_entity_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, null);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
return policy;
}
@Override
public AclPolicyPermission getAclPolicyPermission(long accountId, String entityType, String action) {
List<AclPolicy> roles = listAclPolicies(accountId);
AclPolicyPermission curPerm = null;
for (AclPolicy role : roles) {
AclPolicyPermissionVO perm = _policyPermissionDao.findByPolicyAndEntity(role.getId(), entityType, null, null, action, Permission.Allow);
if (perm == null)
continue;
if (curPerm == null) {
curPerm = perm;
} else if (perm.getScope().greaterThan(curPerm.getScope())) {
// pick the more relaxed allowed permission
curPerm = perm;
}
}
return curPerm;
}
@Override
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
boolean accessible = false;
List<Long> policyIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<AclPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
accessible = true;
}
return accessible;
}
@Override
public List<AclPolicy> getEffectivePolicies(Account caller, ControlledEntity entity) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(caller.getId());
// add any dynamic policies w.r.t the entity
if (caller.getId() == entity.getAccountId()) {
// The caller owns the entity
AclPolicy owner = _aclPolicyDao.findByName(Domain.ROOT_DOMAIN, "RESOURCE_OWNER");
policies.add(owner);
}
return policies;
}
@Override
public List<Long> getGrantedDomains(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Domain scope
List<Long> domainIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.DOMAIN);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
domainIds.add(p.getScopeId());
}
}
}
}
return domainIds;
}
@Override
public List<Long> getGrantedAccounts(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Account scope
List<Long> accountIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.ACCOUNT);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
accountIds.add(p.getScopeId());
}
}
}
}
return accountIds;
}
@Override
public List<Long> getGrantedResources(long accountId, String action) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission with Resource scope
List<Long> entityIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action, PermissionScope.RESOURCE);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
}

68
services/iam/plugin/src/org/apache/cloudstack/acl/api/RoleBasedAPIAccessChecker.java Normal file
View File

@ -0,0 +1,68 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.api;
import java.util.List;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.cloudstack.acl.APIChecker;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclRole;
import org.apache.cloudstack.acl.AclService;
import org.apache.log4j.Logger;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
import com.cloud.user.User;
import com.cloud.utils.component.AdapterBase;
// This is the Role Based API access checker that grab's the account's roles
// based on the set of roles, access is granted if any of the role has access to the api
@Local(value=APIChecker.class)
public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker {
protected static final Logger s_logger = Logger.getLogger(RoleBasedAPIAccessChecker.class);
@Inject AccountService _accountService;
@Inject AclService _aclService;
protected RoleBasedAPIAccessChecker() {
super();
}
@Override
public boolean checkAccess(User user, String commandName)
throws PermissionDeniedException {
Account account = _accountService.getAccount(user.getAccountId());
if (account == null) {
throw new PermissionDeniedException("The account id=" + user.getAccountId() + "for user id=" + user.getId() + "is null");
}
List<AclPolicy> policies = _aclService.listAclPolicies(account.getAccountId());
boolean isAllowed = _aclService.isAPIAccessibleForPolicies(commandName, policies);
if (!isAllowed) {
throw new PermissionDeniedException("The API does not exist or is blacklisted. api: " + commandName);
}
return isAllowed;
}
}

131
services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityAccessChecker.java Normal file
View File

@ -0,0 +1,131 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.entity;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.inject.Inject;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyPermissionVO;
import org.apache.cloudstack.acl.AclService;
import org.apache.cloudstack.acl.ControlledEntity;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.acl.dao.AclPolicyPermissionDao;
import org.apache.log4j.Logger;
import com.cloud.acl.DomainChecker;
import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.user.Account;
import com.cloud.user.AccountService;
import com.cloud.vm.VirtualMachine;
public class RoleBasedEntityAccessChecker extends DomainChecker implements SecurityChecker {
private static final Logger s_logger = Logger.getLogger(RoleBasedEntityAccessChecker.class.getName());
@Inject
AccountService _accountService;
@Inject
AclService _aclService;
@Inject DomainDao _domainDao;
@Inject
AclGroupAccountMapDao _aclGroupAccountMapDao;
@Inject
AclPolicyPermissionDao _policyPermissionDao;
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType)
throws PermissionDeniedException {
return checkAccess(caller, entity, accessType, null);
}
@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
throws PermissionDeniedException {
String entityType = entity.getEntityType().toString();
if (accessType == null) {
accessType = AccessType.ListEntry;
}
// get all Policies of this caller w.r.t the entity
List<AclPolicy> policies = _aclService.getEffectivePolicies(caller, entity);
HashMap<AclPolicy, Boolean> policyPermissionMap = new HashMap<AclPolicy, Boolean>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> permissions = new ArrayList<AclPolicyPermissionVO>();
if (action != null) {
permissions = _policyPermissionDao.listByPolicyActionAndEntity(policy.getId(),
action, entityType);
} else {
permissions = _policyPermissionDao.listByPolicyAccessAndEntity(policy.getId(), accessType, entityType);
}
for (AclPolicyPermissionVO permission : permissions) {
if (checkPermissionScope(caller, permission.getScope(), entity)) {
if (permission.getEntityType().equals(entityType)) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
break;
} else if (permission.getEntityType().equals("*")) {
policyPermissionMap.put(policy, permission.getPermission().isGranted());
}
}
}
if (policyPermissionMap.containsKey(policy) && policyPermissionMap.get(policy)) {
return true;
}
}
if (!policies.isEmpty()) { // Since we reach this point, none of the
// roles granted access
if (s_logger.isDebugEnabled()) {
s_logger.debug("Account " + caller + " does not have permission to access resource " + entity
+ " for access type: " + accessType);
}
throw new PermissionDeniedException(caller + " does not have permission to access resource " + entity);
}
return false;
}
private boolean checkPermissionScope(Account caller, PermissionScope scope, ControlledEntity entity) {
if(scope.equals(PermissionScope.ACCOUNT)){
if(caller.getAccountId() == entity.getAccountId()){
return true;
}
}else if(scope.equals(PermissionScope.DOMAIN)){
if (_domainDao.isChildDomain(caller.getDomainId(), entity.getDomainId())) {
return true;
}
}
return false;
}
}

51
services/iam/plugin/src/org/apache/cloudstack/acl/entity/RoleBasedEntityQueryChecker.java Normal file
View File

@ -0,0 +1,51 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.acl.entity;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclEntityType;
import org.apache.cloudstack.acl.QueryChecker;
import com.cloud.user.Account;
import com.cloud.utils.component.AdapterBase;
public class RoleBasedEntityQueryChecker extends AdapterBase implements QueryChecker {
private static final Logger s_logger = Logger.getLogger(RoleBasedEntityQueryChecker.class.getName());
@Override
public List<Long> getAuthorizedDomains(Account caller, AclEntityType entityType) {
// TODO Auto-generated method stub
return null;
}
@Override
public List<Long> getAuthorizedAccounts(Account caller, AclEntityType entityType) {
// TODO Auto-generated method stub
return null;
}
@Override
public List<Long> getAuthorizedResources(Account caller, AclEntityType entityType) {
// TODO Auto-generated method stub
return null;
}
}

37
services/iam/pom.xml Normal file
View File

@ -0,0 +1,37 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloudstack-service-iam</artifactId>
<name>Apache CloudStack IAM Service</name>
<packaging>pom</packaging>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack-services</artifactId>
<version>4.3.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<build>
<defaultGoal>install</defaultGoal>
</build>
<modules>
<module>plugin</module>
<module>server</module>
</modules>
</project>

53
services/iam/server/pom.xml Normal file
View File

@ -0,0 +1,53 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloud-iam</artifactId>
<name>Apache CloudStack IAM - Server</name>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack-service-iam</artifactId>
<version>4.3.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-utils</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-api</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
</project>

28
services/iam/server/src/org/apache/cloudstack/iam/api/AclGroup.java Normal file
View File

@ -0,0 +1,28 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
public interface AclGroup {
String getName();
String getDescription();
long getId();
String getUuid();
}

32
services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicy.java Normal file
View File

@ -0,0 +1,32 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
public interface AclPolicy {
String getName();
String getDescription();
public enum PolicyType {
Static, Dynamic
}
long getId();
String getUuid();
}

52
services/iam/server/src/org/apache/cloudstack/iam/api/AclPolicyPermission.java Normal file
View File

@ -0,0 +1,52 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
public interface AclPolicyPermission {
String getAction();
long getAclPolicyId();
String getEntityType();
String getAccessType();
String getScope();
Long getScopeId();
Permission getPermission();
public enum Permission {
Allow(true), Deny(false);
boolean result;
Permission(boolean result) {
this.result = result;
}
public boolean isGranted() {
return result;
}
}
long getId();
}

57
services/iam/server/src/org/apache/cloudstack/iam/api/IAMService.java Normal file
View File

@ -0,0 +1,57 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api;
import java.util.List;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
public interface IAMService {
/* ACL group related interfaces */
AclGroup createAclGroup(String aclGroupName, String description, String path);
boolean deleteAclGroup(Long aclGroupId);
List<AclGroup> listAclGroups(long accountId);
AclGroup addAccountsToGroup(List<Long> acctIds, Long groupId);
AclGroup removeAccountsFromGroup(List<Long> acctIds, Long groupId);
/* ACL Policy related interfaces */
AclPolicy createAclPolicy(String aclPolicyName, String description, Long parentPolicyId);
boolean deleteAclPolicy(long aclPolicyId);
List<AclPolicy> listAclPolicies(long accountId);
AclGroup attachAclPoliciesToGroup(List<Long> policyIds, Long groupId);
AclGroup removeAclPoliciesFromGroup(List<Long> policyIds, Long groupId);
AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
String action, String accessType, Permission perm);
AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
String action);
boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies);
List<Long> getGrantedEntities(long accountId, String action, String scope);
}

121
services/iam/server/src/org/apache/cloudstack/iam/api/command/AddAccountToAclGroupCmd.java Normal file
View File

@ -0,0 +1,121 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "addAccountToAclGroup", description = "add account to an acl group", responseObject = AclGroupResponse.class)
public class AddAccountToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAccountToAclGroupCmd.class.getName());
private static final String s_name = "addaccounttoaclgroupresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
required = true, description = "The ID of the acl group")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the acl group.")
private List<Long> accountIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getAccountIdList() {
return accountIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.addAccountsToGroup(accountIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add accounts to acl group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "adding accounts to acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

144
services/iam/server/src/org/apache/cloudstack/iam/api/command/AddAclPermissionToAclPolicyCmd.java Normal file
View File

@ -0,0 +1,144 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.AclPolicyPermission.Permission;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "addAclPermissionToAclPolicy", description = "Add Acl permission to an acl policy", responseObject = AclPolicyResponse.class)
public class AddAclPermissionToAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AddAclPermissionToAclPolicyCmd.class.getName());
private static final String s_name = "addaclpermissiontoaclpolicyresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclPolicyResponse.class,
required = true, description = "The ID of the acl policy")
private Long id;
@Parameter(name = ApiConstants.ACL_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
private String action;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
private String entityType;
@Parameter(name = ApiConstants.ACL_SCOPE, type = CommandType.STRING,
required = false, description = "acl permission scope")
private String scope;
@Parameter(name = ApiConstants.ACL_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id")
private Long scopeId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public String getAction() {
return action;
}
public String getEntityType() {
return entityType;
}
public String getScope() {
return scope;
}
public Long getScopeId() {
return scopeId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl policy Id: " + getId());
// Only explicit ALLOW is supported for this release, no explicit deny
AclPolicy result = _aclService.addAclPermissionToAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action, Permission.Allow);
if (result != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to grant permission to acl policy " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_POLICY_GRANT;
}
@Override
public String getEventDescription() {
return "granting permission to acl policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclPolicy;
}
}

121
services/iam/server/src/org/apache/cloudstack/iam/api/command/AttachAclPolicyToAclGroupCmd.java Normal file
View File

@ -0,0 +1,121 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "attachAclPolicyToAclGroup", description = "attach acl policy to an acl group", responseObject = AclGroupResponse.class)
public class AttachAclPolicyToAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(AttachAclPolicyToAclGroupCmd.class.getName());
private static final String s_name = "attachaclpolicytoaclgroupresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
required = true, description = "The ID of the acl group")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclPolicyResponse.class, description = "comma separated list of acl policy id that are going to be applied to the acl group.")
private List<Long> policyIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getPolicyIdList() {
return policyIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.attachAclPoliciesToGroup(policyIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to acl group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "adding acl roles to acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

162
services/iam/server/src/org/apache/cloudstack/iam/api/command/CreateAclGroupCmd.java Normal file
View File

@ -0,0 +1,162 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.user.Account;
@APICommand(name = "createAclGroup", responseObject = AclGroupResponse.class, description = "Creates an acl group")
public class CreateAclGroupCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateAclGroupCmd.class.getName());
private static final String s_name = "createaclgroupresponse";
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the acl group. Must be used with domainId.")
private String accountName;
@Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl group", entityType = DomainResponse.class)
private Long domainId;
@Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the acl group")
private String description;
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the acl group")
private String name;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public String getAccountName() {
return accountName;
}
public String getDescription() {
return description;
}
public Long getDomainId() {
return domainId;
}
public String getName() {
return name;
}
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
Account account = CallContext.current().getCallingAccount();
if ((account == null) || _accountService.isAdmin(account.getType())) {
if ((domainId != null) && (accountName != null)) {
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
if (userAccount != null) {
return userAccount.getId();
}
}
}
if (account != null) {
return account.getId();
}
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
// command to SYSTEM so ERROR events
// are tracked
}
@Override
public void execute() {
AclGroup grp = _entityMgr.findById(AclGroup.class, getEntityId());
if (grp != null) {
AclGroupResponse response = _responseGenerator.createAclGroupResponse(grp);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl group:" + name);
}
}
@Override
public void create() throws ResourceAllocationException {
Account account = CallContext.current().getCallingAccount();
AclGroup result = _aclService.createAclGroup(account, name, description);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl group entity" + name);
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_CREATE;
}
@Override
public String getEventDescription() {
return "creating Acl group";
}
@Override
public String getCreateEventType() {
return EventTypes.EVENT_ACL_GROUP_CREATE;
}
@Override
public String getCreateEventDescription() {
return "creating acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

169
services/iam/server/src/org/apache/cloudstack/iam/api/command/CreateAclPolicyCmd.java Normal file
View File

@ -0,0 +1,169 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.DomainResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.user.Account;
@APICommand(name = "createAclPolicy", responseObject = AclPolicyResponse.class, description = "Creates an acl policy")
public class CreateAclPolicyCmd extends BaseAsyncCreateCmd {
public static final Logger s_logger = Logger.getLogger(CreateAclPolicyCmd.class.getName());
private static final String s_name = "createaclpolicyresponse";
// ///////////////////////////////////////////////////
// ////////////// API parameters /////////////////////
// ///////////////////////////////////////////////////
@Parameter(name = ApiConstants.ACCOUNT, type = CommandType.STRING, description = "an account for the acl policy. Must be used with domainId.")
private String accountName;
@Parameter(name = ApiConstants.DOMAIN_ID, type = CommandType.UUID, description = "domainId of the account owning the acl policy", entityType = DomainResponse.class)
private Long domainId;
@Parameter(name = ApiConstants.DESCRIPTION, type = CommandType.STRING, description = "optional description of the acl policy")
private String description;
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = true, description = "name of the acl policy")
private String name;
@ACL
@Parameter(name = ApiConstants.ACL_PARENT_POLICY_ID, type = CommandType.UUID, description = "The ID of parent acl policy.", entityType = AclPolicyResponse.class)
private Long parentPolicyId;
// ///////////////////////////////////////////////////
// ///////////////// Accessors ///////////////////////
// ///////////////////////////////////////////////////
public String getAccountName() {
return accountName;
}
public String getDescription() {
return description;
}
public Long getDomainId() {
return domainId;
}
public String getName() {
return name;
}
public Long getParentPolicyId() {
return parentPolicyId;
}
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
Account account = CallContext.current().getCallingAccount();
if ((account == null) || _accountService.isAdmin(account.getType())) {
if ((domainId != null) && (accountName != null)) {
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
if (userAccount != null) {
return userAccount.getId();
}
}
}
if (account != null) {
return account.getId();
}
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this
// command to SYSTEM so ERROR events
// are tracked
}
@Override
public void execute() {
AclPolicy policy = _entityMgr.findById(AclPolicy.class, getEntityId());
if (policy != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(policy);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl policy:" + name);
}
}
@Override
public void create() throws ResourceAllocationException {
Account account = CallContext.current().getCallingAccount();
AclPolicy result = _aclService.createAclPolicy(account, name, description, parentPolicyId);
if (result != null) {
setEntityId(result.getId());
setEntityUuid(result.getUuid());
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create acl policy entity" + name);
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_POLICY_CREATE;
}
@Override
public String getEventDescription() {
return "creating Acl policy";
}
@Override
public String getCreateEventType() {
return EventTypes.EVENT_ACL_POLICY_CREATE;
}
@Override
public String getCreateEventDescription() {
return "creating acl policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclPolicy;
}
}

96
services/iam/server/src/org/apache/cloudstack/iam/api/command/DeleteAclGroupCmd.java Normal file
View File

@ -0,0 +1,96 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.event.EventTypes;
import com.cloud.user.Account;
@APICommand(name = "deleteAclGroup", description = "Deletes acl group", responseObject = SuccessResponse.class)
public class DeleteAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAclGroupCmd.class.getName());
private static final String s_name = "deleteaclgroupresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl group.", required = true, entityType = AclGroupResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM;
}
@Override
public void execute(){
boolean result = _aclService.deleteAclGroup(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_DELETE;
}
@Override
public String getEventDescription() {
return "Deleting Acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

96
services/iam/server/src/org/apache/cloudstack/iam/api/command/DeleteAclPolicyCmd.java Normal file
View File

@ -0,0 +1,96 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.SuccessResponse;
import com.cloud.event.EventTypes;
import com.cloud.user.Account;
@APICommand(name = "deleteAclPolicy", description = "Deletes acl policy", responseObject = SuccessResponse.class)
public class DeleteAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(DeleteAclPolicyCmd.class.getName());
private static final String s_name = "deleteaclpolicyresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "The ID of the acl role.", required = true, entityType = AclPolicyResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM;
}
@Override
public void execute(){
boolean result = _aclService.deleteAclPolicy(id);
if (result) {
SuccessResponse response = new SuccessResponse(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete acl policy");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_POLICY_DELETE;
}
@Override
public String getEventDescription() {
return "Deleting Acl role";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclPolicy;
}
}

82
services/iam/server/src/org/apache/cloudstack/iam/api/command/ListAclGroupsCmd.java Normal file
View File

@ -0,0 +1,82 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.ListResponse;
@APICommand(name = "listAclGroups", description = "Lists acl groups", responseObject = AclGroupResponse.class)
public class ListAclGroupsCmd extends BaseListDomainResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListAclGroupsCmd.class.getName());
private static final String s_name = "listaclgroupsresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists acl groups by name")
private String aclGroupName;
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the acl group by the id provided", entityType = AclGroupResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public String getAclGroupName() {
return aclGroupName;
}
public Long getId(){
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public void execute(){
ListResponse<AclGroupResponse> response = _queryService.listAclGroups(id, aclGroupName, getDomainId(),
getStartIndex(), getPageSizeVal());
response.setResponseName(getCommandName());
setResponseObject(response);
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

82
services/iam/server/src/org/apache/cloudstack/iam/api/command/ListAclPoliciesCmd.java Normal file
View File

@ -0,0 +1,82 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.api.response.ListResponse;
@APICommand(name = "listAclPolicies", description = "Lists acl policies", responseObject = AclPolicyResponse.class)
public class ListAclPoliciesCmd extends BaseListDomainResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListAclPoliciesCmd.class.getName());
private static final String s_name = "listaclpoliciesresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@Parameter(name = ApiConstants.NAME, type = CommandType.STRING, description = "lists acl policies by name")
private String aclPolicyName;
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, description = "list the acl policy by the id provided", entityType = AclPolicyResponse.class)
private Long id;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public String getAclPolicyName() {
return aclPolicyName;
}
public Long getId(){
return id;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public void execute(){
ListResponse<AclPolicyResponse> response = _queryService.listAclPolicies(id, aclPolicyName, getDomainId(),
getStartIndex(), getPageSizeVal());
response.setResponseName(getCommandName());
setResponseObject(response);
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclPolicy;
}
}

121
services/iam/server/src/org/apache/cloudstack/iam/api/command/RemoveAccountFromAclGroupCmd.java Normal file
View File

@ -0,0 +1,121 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AccountResponse;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeAccountFromAclGroup", description = "remove accounts from an acl group", responseObject = AclGroupResponse.class)
public class RemoveAccountFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAccountFromAclGroupCmd.class.getName());
private static final String s_name = "removeaccountfromaclgroupresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
required = true, description = "The ID of the acl group")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACCOUNTS, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AccountResponse.class, description = "comma separated list of account id that are going to be assigned to the acl group.")
private List<Long> accountIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getAccountIdList() {
return accountIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.removeAccountsFromGroup(accountIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove accounts from acl group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "removing accounts from acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

141
services/iam/server/src/org/apache/cloudstack/iam/api/command/RemoveAclPermissionFromAclPolicyCmd.java Normal file
View File

@ -0,0 +1,141 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclPolicy;
import org.apache.cloudstack.acl.PermissionScope;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeAclPermissionFromAclPolicy", description = "Remove acl permission from an acl policy", responseObject = AclPolicyResponse.class)
public class RemoveAclPermissionFromAclPolicyCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclPermissionFromAclPolicyCmd.class.getName());
private static final String s_name = "removeaclpermissionfromaclpolicyresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclPolicyResponse.class,
required = true, description = "The ID of the acl policy")
private Long id;
@Parameter(name = ApiConstants.ACL_ACTION, type = CommandType.STRING, required = true, description = "action api name.")
private String action;
@Parameter(name = ApiConstants.ENTITY_TYPE, type = CommandType.STRING, required = false, description = "entity class simple name.")
private String entityType;
@Parameter(name = ApiConstants.ACL_SCOPE, type = CommandType.STRING,
required = false, description = "acl permission scope")
private String scope;
@Parameter(name = ApiConstants.ACL_SCOPE_ID, type = CommandType.UUID, required = false, description = "The ID of the permission scope id")
private Long scopeId;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public String getAction() {
return action;
}
public String getEntityType() {
return entityType;
}
public String getScope() {
return scope;
}
public Long getScopeId() {
return scopeId;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl policy Id: " + getId());
AclPolicy result = _aclService.removeAclPermissionFromAclPolicy(id, entityType, PermissionScope.valueOf(scope), scopeId, action);
if (result != null) {
AclPolicyResponse response = _responseGenerator.createAclPolicyResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to remove permission from acl policy " + getId());
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_POLICY_REVOKE;
}
@Override
public String getEventDescription() {
return "removing permission from acl policy";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclPolicy;
}
}

121
services/iam/server/src/org/apache/cloudstack/iam/api/command/RemoveAclPolicyFromAclGroupCmd.java Normal file
View File

@ -0,0 +1,121 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.api.command;
import java.util.List;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.AclGroup;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.response.AclGroupResponse;
import org.apache.cloudstack.api.response.AclPolicyResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.EventTypes;
import com.cloud.exception.InsufficientCapacityException;
import com.cloud.exception.ResourceUnavailableException;
import com.cloud.user.Account;
@APICommand(name = "removeAclPolicyFromAclGroup", description = "remove acl policy from an acl group", responseObject = AclGroupResponse.class)
public class RemoveAclPolicyFromAclGroupCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RemoveAclPolicyFromAclGroupCmd.class.getName());
private static final String s_name = "removeaclpolicyfromaclgroupresponse";
/////////////////////////////////////////////////////
//////////////// API parameters /////////////////////
/////////////////////////////////////////////////////
@ACL
@Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AclGroupResponse.class,
required = true, description = "The ID of the acl group")
private Long id;
@ACL
@Parameter(name = ApiConstants.ACL_POLICIES, type = CommandType.LIST, collectionType = CommandType.UUID, entityType = AclPolicyResponse.class, description = "comma separated list of acl policy id that are going to be applied to the acl group.")
private List<Long> policyIdList;
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Long getId() {
return id;
}
public List<Long> getRoleIdList() {
return policyIdList;
}
/////////////////////////////////////////////////////
/////////////// API Implementation///////////////////
/////////////////////////////////////////////////////
@Override
public String getCommandName() {
return s_name;
}
@Override
public long getEntityOwnerId() {
return Account.ACCOUNT_ID_SYSTEM; // no account info given, parent this command to SYSTEM so ERROR events are tracked
}
@Override
public void execute() throws ResourceUnavailableException,
InsufficientCapacityException, ServerApiException {
CallContext.current().setEventDetails("Acl group Id: " + getId());
AclGroup result = _aclService.removeAclPoliciesFromGroup(policyIdList, id);
if (result != null){
AclGroupResponse response = _responseGenerator.createAclGroupResponse(result);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add roles to acl group");
}
}
@Override
public String getEventType() {
return EventTypes.EVENT_ACL_GROUP_UPDATE;
}
@Override
public String getEventDescription() {
return "removing acl roles from acl group";
}
@Override
public ApiCommandJobType getInstanceType() {
return ApiCommandJobType.AclGroup;
}
}

78
services/iam/server/src/org/apache/cloudstack/iam/server/AclGroupAccountMapVO.java Normal file
View File

@ -0,0 +1,78 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group_account_map"))
public class AclGroupAccountMapVO {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
@Column(name = "group_id")
private long aclGroupId;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclGroupAccountMapVO() {
}
public AclGroupAccountMapVO(long aclGroupId, long accountId) {
this.aclGroupId = aclGroupId;
this.accountId = accountId;
}
public long getId() {
return id;
}
public long getAclGroupId() {
return aclGroupId;
}
public long getAccountId() {
return accountId;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

79
services/iam/server/src/org/apache/cloudstack/iam/server/AclGroupPolicyMapVO.java Normal file
View File

@ -0,0 +1,79 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group_policy_map"))
public class AclGroupPolicyMapVO {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private Long id;
@Column(name = "group_id")
private long aclGroupId;
@Column(name = "policy_id")
private long aclPolicyId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclGroupPolicyMapVO() {
}
public AclGroupPolicyMapVO(long aclGroupId, long aclPolicyId) {
this.aclGroupId = aclGroupId;
this.aclPolicyId = aclPolicyId;
}
public long getId() {
return id;
}
public long getAclGroupId() {
return aclGroupId;
}
public long getAclPolicyId() {
return aclPolicyId;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

109
services/iam/server/src/org/apache/cloudstack/iam/server/AclGroupVO.java Normal file
View File

@ -0,0 +1,109 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import java.util.UUID;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.iam.api.AclGroup;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_group"))
public class AclGroupVO implements AclGroup {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "path")
private String path;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclGroupVO() {
uuid = UUID.randomUUID().toString();
}
public AclGroupVO(String name, String description) {
this.name = name;
this.description = description;
uuid = UUID.randomUUID().toString();
path = "/";
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
@Override
public String getDescription() {
return description;
}
public String getPath() {
return path;
}
public void setPath(String path) {
this.path = path;
}
@Override
public String getUuid() {
return uuid;
}
public void setUuid(String uuid) {
this.uuid = uuid;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

172
services/iam/server/src/org/apache/cloudstack/iam/server/AclPolicyPermissionVO.java Normal file
View File

@ -0,0 +1,172 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.iam.api.AclPolicyPermission;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_policy_permission"))
public class AclPolicyPermissionVO implements AclPolicyPermission {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "policy_id")
private long aclPolicyId;
@Column(name = "action")
private String action;
@Column(name = "resource_type")
private String entityType;
@Column(name = "access_type")
private String accessType;
@Column(name = "scope")
private String scope;
@Column(name = "scope_id")
private Long scopeId;
@Column(name = "permission")
@Enumerated(value = EnumType.STRING)
private Permission permission;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
public AclPolicyPermissionVO() {
}
public AclPolicyPermissionVO(long aclPolicyId, String action, String entityType, String accessType, String scope,
Long scopeId, Permission permission) {
this.aclPolicyId = aclPolicyId;
this.action = action;
this.entityType = entityType;
this.accessType = accessType;
this.scope = scope;
this.scopeId = scopeId;
this.permission = permission;
}
@Override
public long getId() {
return id;
}
@Override
public long getAclPolicyId() {
return aclPolicyId;
}
public void setAclPolicyId(long aclPolicyId) {
this.aclPolicyId = aclPolicyId;
}
@Override
public String getEntityType() {
return entityType;
}
@Override
public String getAccessType() {
return accessType;
}
public void setEntityType(String entityType) {
this.entityType = entityType;
}
public void setAccessType(String accessType) {
this.accessType = accessType;
}
@Override
public String getScope() {
return scope;
}
public void setScope(String scope) {
this.scope = scope;
}
@Override
public String getAction() {
return action;
}
@Override
public Long getScopeId() {
// TODO
// handle special -1 scopeId, current caller domain, account
/*
* if ( scopeId < 0 ){ Account caller =
* CallContext.current().getCallingAccount(); if ( scope ==
* PermissionScope.DOMAIN){ return caller.getDomainId(); } else if
* (scope == PermissionScope.ACCOUNT) { return caller.getAccountId(); }
* }
*/
return scopeId;
}
@Override
public Permission getPermission() {
return permission;
}
public void setAction(String action) {
this.action = action;
}
public void setScopeId(Long scopeId) {
this.scopeId = scopeId;
}
public void setPermission(Permission permission) {
this.permission = permission;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
}

136
services/iam/server/src/org/apache/cloudstack/iam/server/AclPolicyVO.java Normal file
View File

@ -0,0 +1,136 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.Date;
import java.util.UUID;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.EnumType;
import javax.persistence.Enumerated;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;
import org.apache.cloudstack.iam.api.AclPolicy;
import com.cloud.utils.db.GenericDao;
@Entity
@Table(name = ("acl_policy"))
public class AclPolicyVO implements AclPolicy {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
private long id;
@Column(name = "name")
private String name;
@Column(name = "description")
private String description;
@Column(name = "uuid")
private String uuid;
@Column(name = "domain_id")
private long domainId;
@Column(name = "account_id")
private long accountId;
@Column(name = GenericDao.REMOVED_COLUMN)
private Date removed;
@Column(name = GenericDao.CREATED_COLUMN)
private Date created;
@Column(name = "policy_type")
@Enumerated(value = EnumType.STRING)
private AclPolicy.PolicyType policyType;
public AclPolicyVO() {
uuid = UUID.randomUUID().toString();
}
public AclPolicyVO(String name, String description) {
this.name = name;
this.description = description;
uuid = UUID.randomUUID().toString();
policyType = AclPolicy.PolicyType.Static;
}
@Override
public long getId() {
return id;
}
@Override
public String getName() {
return name;
}
@Override
public String getDescription() {
return description;
}
@Override
public String getUuid() {
return uuid;
}
public void setUuid(String uuid) {
this.uuid = uuid;
}
public Date getRemoved() {
return removed;
}
public Date getCreated() {
return created;
}
public long getDomainId() {
return domainId;
}
public void setDomainId(long domainId) {
this.domainId = domainId;
}
public long getAccountId() {
return accountId;
}
public void setAccountId(long accountId) {
this.accountId = accountId;
}
public AclPolicy.PolicyType getPolicyType() {
return policyType;
}
public void setPolicyType(AclPolicy.PolicyType policyType) {
this.policyType = policyType;
}
}

543
services/iam/server/src/org/apache/cloudstack/iam/server/IAMServiceImpl.java Normal file
View File

@ -0,0 +1,543 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server;
import java.util.ArrayList;
import java.util.List;
import javax.ejb.Local;
import javax.inject.Inject;
import org.apache.log4j.Logger;
import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import org.apache.cloudstack.iam.api.IAMService;
import org.apache.cloudstack.iam.server.dao.AclGroupAccountMapDao;
import org.apache.cloudstack.iam.server.dao.AclGroupDao;
import org.apache.cloudstack.iam.server.dao.AclGroupPolicyMapDao;
import org.apache.cloudstack.iam.server.dao.AclPolicyDao;
import org.apache.cloudstack.iam.server.dao.AclPolicyPermissionDao;
import org.apache.cloudstack.context.CallContext;
import com.cloud.event.ActionEvent;
import com.cloud.event.EventTypes;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.user.Account;
import com.cloud.utils.component.Manager;
import com.cloud.utils.component.ManagerBase;
import com.cloud.utils.db.DB;
import com.cloud.utils.db.EntityManager;
import com.cloud.utils.db.GenericSearchBuilder;
import com.cloud.utils.db.JoinBuilder.JoinType;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.SearchCriteria.Op;
import com.cloud.utils.db.Transaction;
import com.cloud.utils.db.TransactionCallback;
import com.cloud.utils.db.TransactionCallbackNoReturn;
import com.cloud.utils.db.TransactionStatus;
@Local(value = {IAMService.class})
public class IAMServiceImpl extends ManagerBase implements IAMService, Manager {
public static final Logger s_logger = Logger.getLogger(IAMServiceImpl.class);
private String _name;
@Inject
AclPolicyDao _aclPolicyDao;
@Inject
AclGroupDao _aclGroupDao;
@Inject
EntityManager _entityMgr;
@Inject
AclGroupPolicyMapDao _aclGroupPolicyMapDao;
@Inject
AclGroupAccountMapDao _aclGroupAccountMapDao;
@Inject
AclPolicyPermissionDao _policyPermissionDao;
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_CREATE, eventDescription = "Creating Acl Group", create = true)
public AclGroup createAclGroup(String aclGroupName, String description, String path) {
// check if the role is already existing
AclGroup grp = _aclGroupDao.findByName(path, aclGroupName);
if (grp != null) {
throw new InvalidParameterValueException(
"Unable to create acl group with name " + aclGroupName
+ " already exisits for path " + path);
}
AclGroupVO rvo = new AclGroupVO(aclGroupName, description);
rvo.setPath(path);
return _aclGroupDao.persist(rvo);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_DELETE, eventDescription = "Deleting Acl Group")
public boolean deleteAclGroup(final Long aclGroupId) {
// get the Acl Group entity
final AclGroup grp = _aclGroupDao.findById(aclGroupId);
if (grp == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + aclGroupId
+ "; failed to delete acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this group related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByGroupId(grp.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this group related entry in acl_group_account table
List<AclGroupAccountMapVO> groupAcctMap = _aclGroupAccountMapDao.listByGroupId(grp.getId());
if (groupAcctMap != null) {
for (AclGroupAccountMapVO grpAcct : groupAcctMap) {
_aclGroupAccountMapDao.remove(grpAcct.getId());
}
}
// remove this group from acl_group table
_aclGroupDao.remove(aclGroupId);
}
});
return true;
}
@Override
public List<AclGroup> listAclGroups(long accountId) {
GenericSearchBuilder<AclGroupAccountMapVO, Long> groupSB = _aclGroupAccountMapDao.createSearchBuilder(Long.class);
groupSB.selectFields(groupSB.entity().getAclGroupId());
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
SearchCriteria<Long> groupSc = groupSB.create();
List<Long> groupIds = _aclGroupAccountMapDao.customSearch(groupSc, null);
SearchBuilder<AclGroupVO> sb = _aclGroupDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclGroupVO> sc = sb.create();
sc.setParameters("ids", groupIds.toArray(new Object[groupIds.size()]));
List<AclGroupVO> groups = _aclGroupDao.search(sc, null);
return new ArrayList<AclGroup>(groups);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Adding accounts to acl group")
public AclGroup addAccountsToGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add accounts to acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_account_map table
for (Long acctId : acctIds) {
// check account permissions
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap == null) {
// not there already
grMap = new AclGroupAccountMapVO(groupId, acctId);
_aclGroupAccountMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing accounts from acl group")
public AclGroup removeAccountsFromGroup(final List<Long> acctIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove accounts from acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_group_account_map table
for (Long acctId : acctIds) {
AclGroupAccountMapVO grMap = _aclGroupAccountMapDao.findByGroupAndAccount(groupId, acctId);
if (grMap != null) {
// not removed yet
_aclGroupAccountMapDao.remove(grMap.getId());
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_CREATE, eventDescription = "Creating Acl Policy", create = true)
public AclPolicy createAclPolicy(final String aclPolicyName, final String description, final Long parentPolicyId) {
// check if the policy is already existing
AclPolicy ro = _aclPolicyDao.findByName(aclPolicyName);
if (ro != null) {
throw new InvalidParameterValueException(
"Unable to create acl policy with name " + aclPolicyName
+ " already exisits");
}
AclPolicy role = Transaction.execute(new TransactionCallback<AclPolicy>() {
@Override
public AclPolicy doInTransaction(TransactionStatus status) {
AclPolicyVO rvo = new AclPolicyVO(aclPolicyName, description);
AclPolicy role = _aclPolicyDao.persist(rvo);
if (parentPolicyId != null) {
// copy parent role permissions
List<AclPolicyPermissionVO> perms = _policyPermissionDao.listByPolicy(parentPolicyId);
if (perms != null) {
for (AclPolicyPermissionVO perm : perms) {
perm.setAclPolicyId(role.getId());
_policyPermissionDao.persist(perm);
}
}
}
return role;
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_DELETE, eventDescription = "Deleting Acl Policy")
public boolean deleteAclPolicy(final long aclPolicyId) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
final AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to delete acl policy.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove this role related entry in acl_group_role_map
List<AclGroupPolicyMapVO> groupPolicyMap = _aclGroupPolicyMapDao.listByPolicyId(policy.getId());
if (groupPolicyMap != null) {
for (AclGroupPolicyMapVO gr : groupPolicyMap) {
_aclGroupPolicyMapDao.remove(gr.getId());
}
}
// remove this policy related entry in acl_policy_permission table
List<AclPolicyPermissionVO> policyPermMap = _policyPermissionDao.listByPolicy(policy.getId());
if (policyPermMap != null) {
for (AclPolicyPermissionVO policyPerm : policyPermMap) {
_policyPermissionDao.remove(policyPerm.getId());
}
}
// remove this role from acl_role table
_aclPolicyDao.remove(aclPolicyId);
}
});
return true;
}
@Override
public List<AclPolicy> listAclPolicies(long accountId) {
// static policies of the account
SearchBuilder<AclGroupAccountMapVO> groupSB = _aclGroupAccountMapDao.createSearchBuilder();
groupSB.and("account", groupSB.entity().getAccountId(), Op.EQ);
GenericSearchBuilder<AclGroupPolicyMapVO, Long> policySB = _aclGroupPolicyMapDao.createSearchBuilder(Long.class);
policySB.selectFields(policySB.entity().getAclPolicyId());
policySB.join("accountgroupjoin", groupSB, groupSB.entity().getAclGroupId(), policySB.entity().getAclGroupId(),
JoinType.INNER);
policySB.done();
SearchCriteria<Long> policySc = policySB.create();
policySc.setJoinParameters("accountgroupjoin", "account", accountId);
List<Long> policyIds = _aclGroupPolicyMapDao.customSearch(policySc, null);
SearchBuilder<AclPolicyVO> sb = _aclPolicyDao.createSearchBuilder();
sb.and("ids", sb.entity().getId(), Op.IN);
SearchCriteria<AclPolicyVO> sc = sb.create();
sc.setParameters("ids", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyVO> policies = _aclPolicyDao.customSearch(sc, null);
return new ArrayList<AclPolicy>(policies);
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Attaching policy to acl group")
public AclGroup attachAclPoliciesToGroup(final List<Long> policyIds, final Long groupId) {
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to add roles to acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_policy_map table
for (Long policyId : policyIds) {
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap == null) {
// not there already
grMap = new AclGroupPolicyMapVO(groupId, policyId);
_aclGroupPolicyMapDao.persist(grMap);
}
}
}
});
return group;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_GROUP_UPDATE, eventDescription = "Removing policies from acl group")
public AclGroup removeAclPoliciesFromGroup(final List<Long> policyIds, final Long groupId) {
final Account caller = CallContext.current().getCallingAccount();
// get the Acl Group entity
AclGroup group = _aclGroupDao.findById(groupId);
if (group == null) {
throw new InvalidParameterValueException("Unable to find acl group: " + groupId
+ "; failed to remove roles from acl group.");
}
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_group_role_map table
for (Long policyId : policyIds) {
AclPolicy policy = _aclPolicyDao.findById(policyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + policyId
+ "; failed to add policies to acl group.");
}
AclGroupPolicyMapVO grMap = _aclGroupPolicyMapDao.findByGroupAndPolicy(groupId, policyId);
if (grMap != null) {
// not removed yet
_aclGroupPolicyMapDao.remove(grMap.getId());
}
}
}
});
return group;
}
/*
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting permission to Acl Role")
public AclP addAclPermissionToAclPolicy(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to grant permission to role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// add entries in acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm == null) {
// not there already
perm = new AclApiPermissionVO(aclRoleId, api);
_apiPermissionDao.persist(perm);
}
}
}
});
return role;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking permission from Acl Role")
public AclRole revokeApiPermissionFromAclRole(final long aclRoleId, final List<String> apiNames) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Role entity
AclRole role = _aclPolicyDao.findById(aclRoleId);
if (role == null) {
throw new InvalidParameterValueException("Unable to find acl role: " + aclRoleId
+ "; failed to revoke permission from role.");
}
// check permissions
_accountMgr.checkAccess(caller, null, true, role);
Transaction.execute(new TransactionCallbackNoReturn() {
@Override
public void doInTransactionWithoutResult(TransactionStatus status) {
// remove entries from acl_api_permission table
for (String api : apiNames) {
AclApiPermissionVO perm = _apiPermissionDao.findByRoleAndApi(aclRoleId, api);
if (perm != null) {
// not removed yet
_apiPermissionDao.remove(perm.getId());
}
}
}
});
return role;
}
*/
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_GRANT, eventDescription = "Granting acl permission to Acl Policy")
public AclPolicy addAclPermissionToAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
String action, String accessType, Permission perm) {
Account caller = CallContext.current().getCallingAccount();
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to add permission to policy.");
}
// add entry in acl_policy_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, perm);
if (permit == null) {
// not there already
permit = new AclPolicyPermissionVO(aclPolicyId, action, entityType, accessType, scope, scopeId, perm);
_policyPermissionDao.persist(permit);
}
return policy;
}
@DB
@Override
@ActionEvent(eventType = EventTypes.EVENT_ACL_POLICY_REVOKE, eventDescription = "Revoking acl permission from Acl Policy")
public AclPolicy removeAclPermissionFromAclPolicy(long aclPolicyId, String entityType, String scope, Long scopeId,
String action) {
// get the Acl Policy entity
AclPolicy policy = _aclPolicyDao.findById(aclPolicyId);
if (policy == null) {
throw new InvalidParameterValueException("Unable to find acl policy: " + aclPolicyId
+ "; failed to revoke permission from policy.");
}
// remove entry from acl_entity_permission table
AclPolicyPermissionVO permit = _policyPermissionDao.findByPolicyAndEntity(aclPolicyId, entityType, scope, scopeId, action, null);
if (permit != null) {
// not removed yet
_policyPermissionDao.remove(permit.getId());
}
return policy;
}
@Override
public boolean isAPIAccessibleForPolicies(String apiName, List<AclPolicy> policies) {
boolean accessible = false;
List<Long> policyIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
policyIds.add(policy.getId());
}
SearchBuilder<AclPolicyPermissionVO> sb = _policyPermissionDao.createSearchBuilder();
sb.and("action", sb.entity().getAction(), Op.EQ);
sb.and("policyId", sb.entity().getAclPolicyId(), Op.IN);
SearchCriteria<AclPolicyPermissionVO> sc = sb.create();
sc.setParameters("policyId", policyIds.toArray(new Object[policyIds.size()]));
List<AclPolicyPermissionVO> permissions = _policyPermissionDao.customSearch(sc, null);
if (permissions != null && !permissions.isEmpty()) {
accessible = true;
}
return accessible;
}
@Override
public List<Long> getGrantedEntities(long accountId, String action, String scope) {
// Get the static Policies of the Caller
List<AclPolicy> policies = listAclPolicies(accountId);
// for each policy, find granted permission within the given scope
List<Long> entityIds = new ArrayList<Long>();
for (AclPolicy policy : policies) {
List<AclPolicyPermissionVO> pp = _policyPermissionDao.listGrantedByActionAndScope(policy.getId(), action,
scope);
if (pp != null) {
for (AclPolicyPermissionVO p : pp) {
if (p.getScopeId() != null) {
entityIds.add(p.getScopeId());
}
}
}
}
return entityIds;
}
}

40
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclGroupAccountMapDao.java Normal file
View File

@ -0,0 +1,40 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import org.apache.cloudstack.iam.server.AclGroupAccountMapVO;
import com.cloud.utils.db.GenericDao;
public interface AclGroupAccountMapDao extends GenericDao<AclGroupAccountMapVO, Long> {
List<AclGroupAccountMapVO> listByGroupId(long groupId);
List<AclGroupAccountMapVO> listByAccountId(long accountId);
AclGroupAccountMapVO findAccountInAdminGroup(long accountId);
AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
void removeAccountFromGroups(long accountId);
AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
AclGroupAccountMapVO findAccountInUserGroup(long accountId);
}

119
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclGroupAccountMapDaoImpl.java Normal file
View File

@ -0,0 +1,119 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.server.AclGroupAccountMapVO;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Component;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMapVO, Long> implements AclGroupAccountMapDao {
private SearchBuilder<AclGroupAccountMapVO> ListByGroupId;
private SearchBuilder<AclGroupAccountMapVO> ListByAccountId;
private SearchBuilder<AclGroupAccountMapVO> _findByAccountAndGroupId;
public static final Logger s_logger = Logger.getLogger(AclGroupAccountMapDaoImpl.class.getName());
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
ListByGroupId = createSearchBuilder();
ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
ListByGroupId.done();
ListByAccountId = createSearchBuilder();
ListByAccountId.and("accountId", ListByAccountId.entity().getAccountId(), SearchCriteria.Op.EQ);
ListByAccountId.done();
_findByAccountAndGroupId = createSearchBuilder();
_findByAccountAndGroupId
.and("groupId", _findByAccountAndGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
_findByAccountAndGroupId.and("accountId", _findByAccountAndGroupId.entity().getAccountId(),
SearchCriteria.Op.EQ);
_findByAccountAndGroupId.done();
return true;
}
@Override
public List<AclGroupAccountMapVO> listByGroupId(long groupId) {
SearchCriteria<AclGroupAccountMapVO> sc = ListByGroupId.create();
sc.setParameters("groupId", groupId);
return listBy(sc);
}
@Override
public List<AclGroupAccountMapVO> listByAccountId(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = ListByAccountId.create();
sc.setParameters("accountId", accountId);
return listBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInAdminGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 2);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 3);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInUserGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 1);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", acctId);
sc.setParameters("groupId", groupId);
return findOneBy(sc);
}
@Override
public void removeAccountFromGroups(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = ListByAccountId.create();
sc.setParameters("accountId", accountId);
int rowsRemoved = remove(sc);
if (rowsRemoved > 0) {
s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
}
}
}

28
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclGroupDao.java Normal file
View File

@ -0,0 +1,28 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.server.AclGroupVO;
import com.cloud.utils.db.GenericDao;
public interface AclGroupDao extends GenericDao<AclGroupVO, Long> {
AclGroup findByName(String path, String groupName);
}

59
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclGroupDaoImpl.java Normal file
View File

@ -0,0 +1,59 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.api.AclGroup;
import org.apache.cloudstack.iam.server.AclGroupVO;
import org.springframework.stereotype.Component;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class AclGroupDaoImpl extends GenericDaoBase<AclGroupVO, Long> implements AclGroupDao {
private SearchBuilder<AclGroupVO> nameSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
nameSearch = createSearchBuilder();
nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
nameSearch.and("path", nameSearch.entity().getPath(), SearchCriteria.Op.EQ);
nameSearch.done();
return true;
}
@Override
public AclGroup findByName(String path, String name) {
SearchCriteria<AclGroupVO> sc = nameSearch.create();
sc.setParameters("name", name);
if (path != null) {
sc.setParameters("path", path);
}
return findOneBy(sc);
}
}

16
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclGroupPolicyMapDao.java Normal file
View File

@ -0,0 +1,16 @@
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import org.apache.cloudstack.iam.server.AclGroupPolicyMapVO;
import com.cloud.utils.db.GenericDao;
public interface AclGroupPolicyMapDao extends GenericDao<AclGroupPolicyMapVO, Long> {
List<AclGroupPolicyMapVO> listByGroupId(long groupId);
List<AclGroupPolicyMapVO> listByPolicyId(long policyId);
AclGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId);
}

61
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclGroupPolicyMapDaoImpl.java Normal file
View File

@ -0,0 +1,61 @@
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.server.AclGroupPolicyMapVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
public class AclGroupPolicyMapDaoImpl extends GenericDaoBase<AclGroupPolicyMapVO, Long> implements AclGroupPolicyMapDao {
private SearchBuilder<AclGroupPolicyMapVO> ListByGroupId;
private SearchBuilder<AclGroupPolicyMapVO> ListByPolicyId;
private SearchBuilder<AclGroupPolicyMapVO> findByPolicyGroupId;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
ListByGroupId = createSearchBuilder();
ListByGroupId.and("groupId", ListByGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
ListByGroupId.done();
ListByPolicyId = createSearchBuilder();
ListByPolicyId.and("policyId", ListByPolicyId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
ListByPolicyId.done();
findByPolicyGroupId = createSearchBuilder();
findByPolicyGroupId.and("policyId", findByPolicyGroupId.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
findByPolicyGroupId.and("groupId", findByPolicyGroupId.entity().getAclGroupId(), SearchCriteria.Op.EQ);
findByPolicyGroupId.done();
return true;
}
@Override
public List<AclGroupPolicyMapVO> listByGroupId(long groupId) {
SearchCriteria<AclGroupPolicyMapVO> sc = ListByGroupId.create();
sc.setParameters("groupId", groupId);
return listBy(sc);
}
@Override
public List<AclGroupPolicyMapVO> listByPolicyId(long policyId) {
SearchCriteria<AclGroupPolicyMapVO> sc = ListByPolicyId.create();
sc.setParameters("policyId", policyId);
return listBy(sc);
}
@Override
public AclGroupPolicyMapVO findByGroupAndPolicy(long groupId, long policyId) {
SearchCriteria<AclGroupPolicyMapVO> sc = findByPolicyGroupId.create();
sc.setParameters("policyId", policyId);
sc.setParameters("groupId", groupId);
return findOneBy(sc);
}
}

28
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyDao.java Normal file
View File

@ -0,0 +1,28 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.server.AclPolicyVO;
import com.cloud.utils.db.GenericDao;
public interface AclPolicyDao extends GenericDao<AclPolicyVO, Long> {
AclPolicy findByName(String policyName);
}

57
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyDaoImpl.java Normal file
View File

@ -0,0 +1,57 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.api.AclPolicy;
import org.apache.cloudstack.iam.server.AclPolicyVO;
import org.springframework.stereotype.Component;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
@Component
public class AclPolicyDaoImpl extends GenericDaoBase<AclPolicyVO, Long> implements AclPolicyDao {
private SearchBuilder<AclPolicyVO> nameSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
nameSearch = createSearchBuilder();
nameSearch.and("name", nameSearch.entity().getName(), SearchCriteria.Op.EQ);
// nameSearch.and("domainId", nameSearch.entity().getDomainId(),
// SearchCriteria.Op.EQ);
nameSearch.done();
return true;
}
@Override
public AclPolicy findByName(String name) {
SearchCriteria<AclPolicyVO> sc = nameSearch.create();
sc.setParameters("name", name);
return findOneBy(sc);
}
}

38
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDao.java Normal file
View File

@ -0,0 +1,38 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import org.apache.cloudstack.iam.server.AclPolicyPermissionVO;
import com.cloud.utils.db.GenericDao;
public interface AclPolicyPermissionDao extends GenericDao<AclPolicyPermissionVO, Long> {
List<AclPolicyPermissionVO> listByPolicy(long policyId);
AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
String action, Permission perm);
List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, String scope);
List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType);
List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long id, String accessType, String entityType);
}

115
services/iam/server/src/org/apache/cloudstack/iam/server/dao/AclPolicyPermissionDaoImpl.java Normal file
View File

@ -0,0 +1,115 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package org.apache.cloudstack.iam.server.dao;
import java.util.List;
import java.util.Map;
import javax.naming.ConfigurationException;
import org.apache.cloudstack.iam.api.AclPolicyPermission.Permission;
import org.apache.cloudstack.iam.server.AclPolicyPermissionVO;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
public class AclPolicyPermissionDaoImpl extends GenericDaoBase<AclPolicyPermissionVO, Long> implements
AclPolicyPermissionDao {
private SearchBuilder<AclPolicyPermissionVO> policyIdSearch;
private SearchBuilder<AclPolicyPermissionVO> fullSearch;
private SearchBuilder<AclPolicyPermissionVO> actionScopeSearch;
@Override
public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
super.configure(name, params);
policyIdSearch = createSearchBuilder();
policyIdSearch.and("policyId", policyIdSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
policyIdSearch.done();
fullSearch = createSearchBuilder();
fullSearch.and("policyId", fullSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
fullSearch.and("entityType", fullSearch.entity().getEntityType(), SearchCriteria.Op.EQ);
fullSearch.and("scope", fullSearch.entity().getScope(), SearchCriteria.Op.EQ);
fullSearch.and("scopeId", fullSearch.entity().getScopeId(), SearchCriteria.Op.EQ);
fullSearch.and("action", fullSearch.entity().getAction(), SearchCriteria.Op.EQ);
fullSearch.and("permission", fullSearch.entity().getPermission(), SearchCriteria.Op.EQ);
fullSearch.and("accessType", fullSearch.entity().getAccessType(), SearchCriteria.Op.EQ);
fullSearch.done();
actionScopeSearch = createSearchBuilder();
actionScopeSearch.and("policyId", actionScopeSearch.entity().getAclPolicyId(), SearchCriteria.Op.EQ);
actionScopeSearch.and("scope", actionScopeSearch.entity().getScope(), SearchCriteria.Op.EQ);
actionScopeSearch.and("action", actionScopeSearch.entity().getAction(), SearchCriteria.Op.EQ);
actionScopeSearch.and("permission", actionScopeSearch.entity().getPermission(), SearchCriteria.Op.EQ);
actionScopeSearch.done();
return true;
}
@Override
public List<AclPolicyPermissionVO> listByPolicy(long policyId) {
SearchCriteria<AclPolicyPermissionVO> sc = policyIdSearch.create();
sc.setParameters("policyId", policyId);
return listBy(sc);
}
@Override
public AclPolicyPermissionVO findByPolicyAndEntity(long policyId, String entityType, String scope, Long scopeId,
String action, Permission perm) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("scope", scope);
sc.setParameters("scopeId", scopeId);
sc.setParameters("action", action);
sc.setParameters("permission", perm);
return findOneBy(sc);
}
@Override
public List<AclPolicyPermissionVO> listGrantedByActionAndScope(long policyId, String action, String scope) {
SearchCriteria<AclPolicyPermissionVO> sc = actionScopeSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("action", action);
sc.setParameters("scope", scope);
sc.setParameters("permission", Permission.Allow);
return listBy(sc);
}
@Override
public List<AclPolicyPermissionVO> listByPolicyActionAndEntity(long policyId, String action, String entityType) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("action", action);
return listBy(sc);
}
@Override
public List<AclPolicyPermissionVO> listByPolicyAccessAndEntity(long policyId, String accessType,
String entityType) {
SearchCriteria<AclPolicyPermissionVO> sc = fullSearch.create();
sc.setParameters("policyId", policyId);
sc.setParameters("entityType", entityType);
sc.setParameters("accessType", accessType);
return listBy(sc);
}
}

1
services/pom.xml
View File

@ -33,5 +33,6 @@
<modules>
<module>console-proxy</module>
<module>secondary-storage</module>
<module>iam</module>
</modules>
</project>